Firewall groups

From VyOS Wiki
Jump to: navigation, search

VyOS supports groups of IP addresses, subnets or ports for usage in firewall rules. Currently groups are supported for IPv4 only.

Here is an example:

vyos@vyos# show firewall
 group {
     address-group servers {
         address 1.1.1.1-1.1.1.5
         address 1.1.1.7
         address 3.3.3.3
         description "My set of blocked servers"
     }
     network-group good-nets {
         description "nets to allows"
         network 15.0.0.0/24
     }
     port-group bad-ports {
         description "list of ports to block"
         port 22
         port 23
         port ftp
         port 1000-2000
     }
 }

After your groups created, you may use them in firewall rules, like this:

 name FW1 {
     rule 10 {
         action reject
         destination {
             group {
                 address-group servers
                 port-group bad-ports
             }
         }
         source {
             group {
                 network-group good-nets
             }
         }
     }
 }